0330 043 0826 | [email protected]
InfoSec Governance Logo

What happens if I fail Cyber Essentials?

What happens if I fail Cyber Essentials?

The Cyber Essentials scheme is a UK based cyber security certification which is ran and backed by the National Cyber Security Centre (NCSC) and IASME. The certification is a requirement to work with Central Government, the Ministry of Defence (MoD) and more recently in the financial and supply chain.

But this doesn’t mean that if you don’t work with the UK government, you shouldn’t be complying with the scheme, the certification is a great way to ensure that you have the best practices in place and you have implemented a basic cyber security framework within your business.

But what is Cyber Essentials?

The Cyber Essentials certification is a annual certification which must be renewed to stay current, the certification comes in two versions, the basic certification, which is a point in time self-assessed questionnaire which is then marked by a certification body, like ourselves. As well as the plus certification, which is audited by a certification body and checked to make sure what you said in your basic certification is true.

The Cyber Essentials certification is a starting point for many businesses to ensure that they have the basics in place or have been asked by their supply chain to implement and demonstrate that they comply with Cyber Essentials.

Achieving the scheme helps businesses demonstrate that they are protecting information as well as caring their reputation.

What happens if you fail Cyber Essentials Basic?

So you’ve completed the Cyber Essentials basic self-assessment certification as much as you can, you submit the answers, which tells a certification body, like InfoSec Governance, that you need to mark your answers.  The certification body will read your answers and will decide whether the answers answer the question and whether the answers are compliant and will mark according. If you fail certification this can lead to a few problems for you as a business. But there are things that can be done.  It’s not a failure and that’s it.

Resubmit updated answers

If you fail certification, you will receive a notification that your submission has failed, the certification body will have marked your answers and highlighted any areas that either need more information (amber flags) or are non-compliances or outright failures (red flags). You have a few days to update your answers and re-submit.  The certification body will re-mark and, hopefully, if everything is ok, will certify you for certification. Otherwise, will either fail again or send back for further information.  You get two chances to re-submit before an outright failure.

 

You have to reapply

If you fail the re-submission twice you will have to reapply for certification, this will be at additional cost to your business, the cost will be the same as the initial certification attempt. This can be a time consuming process for your business and cost you more money than was intended. By going with InfoSec Governance, we will perform a pre-submission review of your answers as part of the cost to ensure that you have all the answers compliant before officially submitting your assessment.

Reputational impact

If you fail your initial or renewal for Cyber Essentials, this could impact your business reputation, especially if the certification is a requirement for tendering, supply chain requirements or core business services. By ensuring that you read the guidelines which are set out by NCSC and by going with a certification body like InfoSec Governance, you can reduce the changes of failing and keeping your reputation intact.

What happens if you fail Cyber Essentials Plus?

Like the basic certification, Cyber Essentials Plus requires you to meet the scheme requirements and ensure that everything in place.  If you have past the basic certification and everything is in place, passing Cyber Essentials Plus should be an easy process.

However, during auditing, if specific requirements have been found to be missing or are not compliant with the scheme you will get a change to remediate any failures or non-compliances. You will have up to 30 days from the date of the audit (or 90 days from the basic certification date, whichever is first) to evidence that remediations have been put into place and the auditor is happy with these findings before you will be certified.

What can you do to reduce the chances of failure?

There are a few things you can do to reduce the changes of failing Cyber Essentials, these are as follows:

  • Read the IT requirements document for Cyber Essentials
  • Ensure no one is running as a local administrator for day-to-day activities
  • Ensuring that software firewalls and antivirus software is installed and working on all devices (excluding mobile devices)
  • Ensuring that multi-factor authentication is enabled for administrators and users on all cloud platforms
  • Ensuring that you are not running unsupported and out of date Operating Systems and/or applications
  • Ensuring that all software is kept up to date at all times

If you would like to achieve Cyber Essentials for your business, get in touch to see how we can help your business achieve certification quickly and easily.